Troubleshooting SSL handshake in F5 BIG-IP LTM – Part 1 (SSL/TLS Protocol Mismatch)

 

How to identify if there is an SSL/TLS protocol mismatch between Client and F5 LTM?

 

1.  Check the protocol version used by the client in wireshark captures under the “Client Hello” packetprotocol mismatch wireshark capture

2.  Check the SSL/TLS protocol version supported by the LTM for a particular VIP

  • Run curl checks if possible from a remote server
curl -Ik https://site1.dc1.networkology.net --sslv2
curl -Ik https://site1.dc1.networkology.net --sslv3
curl -Ik https://site1.dc1.networkology.net --tlsv1
curl -Ik https://site1.dc1.networkology.net --tlsv1.0
curl -Ik https://site1.dc1.networkology.net --tlsv1.1
curl -Ik https://site1.dc1.networkology.net --tlsv1.2
  • Check if any protocol is negated in ciphers under client-ssl profile;

Continue reading